Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0049052
TypeCategorySeverityReproducibilityDate SubmittedLast Update
backport[Openbravo ERP] A. Platformcriticalalways2022-04-12 12:272022-04-26 14:27
Reporterfermin_ostivarView Statuspublic 
Assigned ToAugustoMauch 
PriorityimmediateResolutionfixedFixed in VersionPR22Q1.2
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget VersionPR22Q1.2
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionpiSCM revision 
Review Assigned To
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0049052: XML parsers XXE attacks vulnerabilty

DescriptionWe have detected a SaxParser vulnerable to XXE attach in the class TranslationManager

      final SAXParserFactory factory = SAXParserFactory.newInstance();
      final SAXParser parser = factory.newSAXParser();
      parser.parse(in, handler);


https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L641 [^]
https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L666 [^]
Steps To ReproduceN/A
Proposed SolutionTo create a new get method in the class XMLUtil.java as newSAXReader and to call it in the lines reported previously
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
blocks design defect 0049039 closedAugustoMauch XML parsers XXE attacks vulnerabilty 

-  Notes
(0136726)
hgbot (developer)
2022-04-25 17:09

Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/568 [^]
(0136759)
hgbot (developer)
2022-04-26 14:27

Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/568 [^]
(0136760)
hgbot (developer)
2022-04-26 14:27

Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: dde64a620cae5e31b581586aad4532aa03d0b04a
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 26-04-2022 11:35:40
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/dde64a620cae5e31b581586aad4532aa03d0b04a [^]

Fixes ISSUE-49052: Provides a safe way to create instances of SAXParser

A new method has been created in XMLUtil to create instances of SAXParser that are not vulnerable to XXE attacks

---
M src/org/openbravo/dal/xml/XMLUtil.java
M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
---

- Issue History
Date Modified Username Field Change
2022-04-13 13:24 AugustoMauch Type design defect => backport
2022-04-13 13:24 AugustoMauch Target Version => PR22Q1.2
2022-04-25 17:09 hgbot Note Added: 0136726
2022-04-26 14:27 hgbot Resolution open => fixed
2022-04-26 14:27 hgbot Status scheduled => closed
2022-04-26 14:27 hgbot Note Added: 0136759
2022-04-26 14:27 hgbot Fixed in Version => PR22Q1.2
2022-04-26 14:27 hgbot Note Added: 0136760


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker